In the world of online security, it’s tempting to take a rigid, unyielding stance against bad actors. Block any suspicious IP address, and bam — problem solved, right? Not quite.
“Be like water making its way through cracks. Do not be assertive, but adjust to the object, and you shall find a way around or through it.” — Bruce Lee
The Problem with IP Blocking
Many security solutions rely heavily on IP address blocking as a primary defense. While seemingly straightforward, this tactic is fraught with issues:
Dynamic IP Addresses: IP addresses aren’t static. They can change frequently, leading to the blocking of innocent users who now share an IP previously used by a bad actor.
Unwitting Accomplices: Legitimate users can become collateral damage. Malware on a user’s device can generate malicious traffic, triggering an IP block — preventing the actual user from accessing a website even though they’re unaware of the problem.
Transparency Aids the Enemy: Blocking after a certain number of failed logins reveals your security measures to attackers. Savvy fraudsters adjust their tactics — using “low and slow” attacks or rotating proxies to circumvent these thresholds.
You Can’t Fix What You Can’t See: By blocking IP addresses, fraud mitigation systems become essentially blind to what fraudsters are doing. They can’t see the tactics being deployed.
Embrace Fluidity, Not Rigidity
Instead of outright blocking, consider a more adaptive approach:
- Gather Intelligence: Allow suspicious activity while closely monitoring it. Track patterns in login attempts, analyze user agent strings, observe browser language configurations.
- Develop Comprehensive Signals: Identify unique indicators that transcend IP addresses — allowing you to track and mitigate malicious activity even when attackers switch proxies.
At myNetWatchman, we still see millions of attacks against organizations using IP blocking tools. And as fast as those IP addresses get blocked, miscreants change them — making it a cat-and-mouse game. Meanwhile, user credentials are still being used and ATO continues to increase.
Stopping ATO at the root cause with compromised credential screening is independent of IP address — and helps organizations be more like water: adapting to the threat rather than playing defense that attackers have already learned to bypass.
The mechanics of how email became the digital economy’s most consequential vulnerability, the case studies that should have changed everything, and what a continuous intelligence approach actually looks like — all documented in “The Lying Gatekeeper,” a special report from myNetWatchman.
Read the Full Report →